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EXECUTIVE SUMMARY 


А decade ago In October 2010, Microsoft unveiled its 
Cloud-based Осе 365 platform. Touted then as one 
ot the “moments in time when technology transforms 
the workplace/“ Microsoft's prediction has certainly 
come true. In Q3 2020, Microsoft reported 258 million 
paid Office 365 business seats; Gartner reports that 
71 percent of companies now use cloud or hybrid cloud 
email, primarily from Microsoft. 


Yet, technology evolution doesn't happen in isolation: 
cyber threat actors have also evolved with (and thrived 
because of) — the cloud. 


This report examines the top threats missed by Office 
365 and well-known secure email gateways (SEGs), based 
оп an analysis of more than 1.5 billion messages sent 
to 18 organizations across different industries. We found 
that in one six-month period (March to August 2020), 
отсе 365 and welt-known SEGs missed nearly 1 million — 
over 925,000 — phishing ета. 


Additional findings Included: 
1п one example where а customer layered Office 365 
with an SEG, more than 300,000 malicious messages 
Were still missed; 

+ There was а steady increase in targeted Business 
Email Compromise (ВЕС) attacks — which would 
have amounted to several billion dollars in potential 
losses; and 
Spoofed senders and newly registered domains 
(NRDs) accounted for 71.7 percent of the missed 
email threats; 

+ The summer months saw a sharp increase 
in phishing, 25 əttackers took advantage of 
coronavirus-related misinformation and remote 
workforce transitions. 
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Not only are threat actors exploiting Office 365 to launch 
new campaigns, but victims themselves are Office 365 
users, complicating defense measures. А 2018 report 
from the U.S, Council of Economic Advisers pointed out 
cloud computing's іпһегепі vulnerabilities: there is “g 
great degree oJ risk correlotion between firms from cyber 
threats thot otherwise would not exist І the тз’ dota 
апо services were locoted Ізсайу." Multi-tenant, cloud-first 
webmall plus cloud collaboration tools have also created 
economies of scale attractive го bad cyber actors hosting 
massive phishing campalgns. 


Consider bad actors' “nothing-is-sacred" approach to 
exploiting COVID-19. For example, our researchers have 
observed attackers launching Microsoft OneDrive- 

branded phishing campaigns under the guise of “sharing” 
CARES Act accounting Information. Attackers have also 
utilized Microsoft Shar 
to phish for user credentials, based on the premise of 


біті and Microsoft Planner 


bonus pay for essential workers. 


The good news is, despite the staggeringly large volume 
ої phishing messages still getting through, Microsoft 
continues to improve Office 365's native security de- 
fenses, including its Advanced Threat Protection (ATP). 
Additionally, more organizations are starting to invest 
in a layered approach to protecting cloud email, as 
noted in the latest Gartner Market Guide for Email 
Security (ID: 600722358). 


However, because 96 percent of phishing attacks come 
through email, the first step to closing any potential 
Otfice 365 security варз is to understand ай the different 
ways attackers breach Осе 365 email. 


President & CEO, Area | Security 


Read on for more insights 
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DISSECTING OFFICE 365'S TOP MISSED THREATS 


When It comes to enterprise ета! and collaboration, 
Microsoft is a familiar name. With the increase of work- 
from-home employees in 2020, Microsoft's user base 
has continued to grow, especially for their Microsoft 
365 (formerly named Office 365) product suite, which 
surpassed 258 million paid business seats in 2020. 


The increase in users isn't just good for Microsoft's 
bottom line; cyber attackers are also benefiting. Office 
365's growing user base means a larger attack surface. 
area — and more targets. Ав one of the most popular 
enterprise collaboration tools, Office 365 offers plenty 
о possibilities for attackers to reach victims. Office 
3685 attack surface area ranges from external attacks 
originating outside the enterprise, to internal attacks 
within the organization, partner accounts, and through 
Microsoft's varied storage and collaboration tools. 


When companies move their email infrastructure to 
the cloud, they have a certain expectation of security. 
When it comes to commodity security services, such 
ав anti-spam and anti-virus, Microsoft's otferings are 
very effective and on par with some of the best эп 
spam and anti-virus providers out there, Yet айуапсе 
threats, such as Types 1-4 Business Email Compromise 
(ВЕС) attacks, continue to plague Office 365 email. 
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With so many avenues for attack within the Microsofc 
environment, security vendors have built extensive 
defenses, such as Microsoft's own Advanced Threat 
Protection (ATP), in Порез of solving the problem. 
However, when it comes to advanced threats, these 
detenses fall short of the mark, 


With a third ог confirmed data breaches involving phish- 
ing and 96% ої phishing attacks coming through email, 
missed phishing attacks are still а big problem. 


Over a recent six-month period, Area 1 Security ana- 
lyzed over 1.5 billion email messages from customers 
using Microsoft as their email provider. Some of these. 
customers also had purpose-built secure email gateways 
(SEGs) dieployed, like Proofpoint and Mimecast, to protect 
users trom advanced threats. Despite these additional 
security measures, Area 1 Security discovered more than 
925,000 missed malicious messages а! 
slipped through. In this report, we'll take a closer look 
at the top threats missed by Office 365 and legacy email 
security vendors. 


emails that 
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TOP MISSED THREATS IN OFFICE 365 EMAIL ENVIRONMENTS 
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їп our sample, the overall missed threat rate was “only” 0.06%, but this still resulted In hundreds ої thousands ої missed 
threats that could have reached end user inboxes.! Any one of these threats could also have been the source of a 
cyber breach resulting іп financial repercussions, 1055 of intellectual property, and degradation of brand reputation. 


NO VACATION FOR ATTACKERS 


Despite the uncertainty and business disruptions in 
2020 caused by the COVID-19 global pandemic, ахас 
ers did not seem to suffer a loss of productivity, as 

seen In the monthly missed threats breakdown in Fig. 


2 below. In fact, attackers took advantage of the 


pandemic to target companies as they transitioned 
to support a remote workforce. 


This Instability has created a window of opportunity 
аз workers try to figure out how to juggle remote work 
amongst various domestic challenges. This sudden 
change in work conditions have also dramatically 
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increased remote employees security risks due to 
a lack of enterprise security tools and reassigned 
security staff. 


With working-from-home now the norm, Gartner has 
аво named securing the remote workforce аз 20205 
top security project." Remote work statistics support 
this; nearly half of global businesses have experienced 
а cybersecurity зсаге since moving to remote work. 
The ЕВ! has also experienced а Ах increase іп cybererime 
reports since the onset of the pandemic 
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MALICIOUS VERDICTS ВУ МОМТН 


ШІШ 


Our data also tells a ра 
апа spoofed етай in the summer 2020 months suggest attackers (like many required to shelter-in-place) also canceled 
their vacation and кер right on working. Other threat types remained fairly constant in the first few months and saw 
а substantial increase in August 2020. 


1 зкогу of increasing threats. The large spike ої recentiy created domains, Bitcoin scams, 


THREAT SPOTLIGHT: BUSINESS EMAIL COMPROMISE (BEC) 


One of the most dangerous and financially damaging While ВЕС attacks have been around since the 20105, 
types ої phish, Business Email Compromise, ог ВЕС, they have become increasingly sophisticated, lever- 
relies on social engineering and exploitation of business aging current events as Ішгез. Here's а quick breakdown 
processes instead of malware, According to the ВІ, of the different types of BECs and a deep-dive example 
over 80% of organizations have suffered а ВЕС attack, of each type. (А detailed explanation of each ВЕС type 
with total lossing comprising 826 billion since 20162 is also available in our Guide to ВЕС ebook.) 


BEC PHISHING EVOLUTION 
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BASIC ТУРЕ 1 ВЕС: 5РООРЕО SENDER DOMAIN, СХО ІМРЕВЗОМАТІОМ 


з манія 
котрої AOL 

ТЕН жаши 

Im rr batscen а Teleconference фт now ала оски Югиага о зрілу some of е ` порезов со 

Зе оглу а Coupe has been ололар о ув оме о збе а couple of g lo _ Mesuge passes email 

рее ет need yo. lo make зоте д cards рифа Іт choosing уіне етос РЬ 

Pando iss о мат тоте я пні Г те лм Му ст sya рр зу 


Thank yox, 
Слез maaa 


епот my pad: 


ADVANCED TYPE 2 BEC: COMPROMISED EMPLOYEE 
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ЅОРНІЅТІСАТЕР ТУРЕ 3 & 4 ВЕС: СОМРАОМТЗЕО BUSINESS PARTNER 
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MISSED ВЕС ТНАЕАТЅ 
While the volume ої ВЕС phishing 


was relatively low compared to 
other types of attacks, we did зве 
а steady increase In their numbers 
дақ over the six-month period 
considered in our data (Fig. 3). 
зак Considering the average wire- 

transfer loss is 580,000 per 

зах ВЕС attack, this would have 
атоцпгей to several billion 
dollars in losses 
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ТНАЕАТ SPOTLIGHT: СВЕОЕМТІАЇ PHISHING 


Credentials аге the Мо. 1 type ої data compromised !ronically, attackers often use Microsoft's own tools 
in phishing attacks, leading to the parallel correlation and branding against them, targeting Office 365 
that breaches involving actual malware have decreased credentials and impersonating password reset notices 
byover 40% from Microsoft or Т admins, as seen in the example 


attack intercepted by Area 1 below. 


CREDENTIAL PHISHING ATTACK 
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THREAT SPOTLIGHT: BRAND IMPERSONATION 


Brand impersonation is а tactic used by attackers to make 
malicious emails and websites appear legitimate by 
stealing branding elements like names, logos апа site 
designs. Attackers often go to great lengths to trick 
users, hiring web designers to recreate malicious sites 


BRAND IMPERSONATION PHISH 


that сок almost exactly like the legitimate sites theyre 
impersonating. 


Here's an example breakdown of a brand 
impersonation phish that bypassed Office 365, 


аз well as passed SPF, ОКІМ and DMARC: 


> Spoofed азршу name 
impersonales Chase bank 


Message passes көші 
suhentication (SPF, ОКМ 
ла MARC), 
пай еп то блога, 
міна 


ем shows 


Жаша URL uses a SendGnia 
URL арии ра 
паи лемалныю 
срочно 
ія ste impersonatint 


Pertaliehasehinqex. imi 


MISSED BRAND IMPERSONATION 
THREATS 


їп our data, we saw a steady increase in brand 
impersonation phishing within our віх month 
window (Fig. 4). 


т. 4, низко BAND INPERSQWATION PHLSW ING ІМ OFFICE 365 
PERCNTAGE ағ 155 тнаАтУ, 
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NG: GLOBAL РАМОЕМІ 


Threat actors are nothing if not opportunistic, picking up the latest trending topics to use as lures. In the case 
о! COVID-19, threat actors capitalized on the panic surrounding the global pandemic, resulting in а spike in 
coronavirus-themed phishing. 


попу after the World Health Organization declared COVID-19 a pandemic on March 13, 2020, Area 16 
security researchers detected over 88,000 corona-virus-related phish within а single day. 


COVID-19 PHISHING DETECTIONS 


. АА 
FI. S, COV10-18-RELATED PhISHING ОСТЕСТІОМЄ MADE aY ANEA 1 SHORTLY AFTER PANDENIC DECLAMATIDN. 
Á N Watch our threat research team's on-demand COVID-19 webinar to see a detailed 
К. breakdown of coronavirus-related phishing ottacks from spring 2020. 
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PLENTY OF PHISH 


Why so much phish? The short answer, from an economic 
standpoint, is because it's become a cheaper асп, 


Widespread adoption of cloud-based services and free 
webmail have tipped the economies of scale in favor 
of the attackers. It is far easler and cheaper to use 
an established, reputable provider to host malicious 
content than to compromise systems. Cloud email 
providers like Office 365 and Gmail allow organizations 
to host their email domains Гога nominal cost, making 
these options a financially attractive way Гог attackers 
to deteat email authentication protocols. 


їп fact, solely relying on email authentication results, 
like SPF, ӘКІМ, and DMARC, can create а false sense of 
security and even lend legitimacy to phishing emails 


Email authentication has also turned out to be an error- 
ргопе technology to Implement, with companies often 
confusing the Inbound and outbound uses cases of 
email authentication. 


Attackers have found ways to easily defeat ета! 
authentication by using webmail, exploiting the 
difficulty in deploying it correctly and inconsistencies 
with its enforcement. At the end of the day, email 
authentication simply fails to stop phish. 


Additionally, емавіме techniques such as using images 
instead of text in email, hosting malware on newly- 
created domains without reputation, and nesting 
malicious URLs mean that plenty of phishing messages 
continue to зр through legacy ета! security vendors. 


SECURE EMAIL GATEWAYS AREN'T ЕМОЦБН 
As previously mentioned, some deployments in our analysis employed a ЗЕ in addition to Office 365's native. 


defenses. These deployments didn't fare much better in terms ої catching phish, missing more than 300,000 
malicious messages within з single customer environment in some cases (Fig. 6). 
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These SEGs were deployed as the МХ record, providing а first line of defense against phishing emails before “clean” 
messages are delivered into Office 365, where Office 365 gets the opportunity to apply its own detection technologies. 
їп other words, the missed phish that were identified іп these heavily fortified email environments were missed by 
both the SEG and Office 365. 
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НОМ ТО PROTECT YOUR OFFICE 365 EMAIL ENVIRONMENT 


It's clear from these findings that attackers are constantly looking for new ways to circumvent Office 365's native defenses. 
Additionally, even if email authentication (ОМАВС, SPF, КІМ) is properly configured and enabled, phishing messages 
сап still get through. SEGs are also falling short when it comes to stopping advanced phishing and targeted attacks. 


баппег% 2020 Market Guide for Email Security (ID 600722358), states that "Gartner clients report 
dissatisfactlon with natively available capabilities [of G Suite and Office 365] and are, therefore, 
choosing to supplement with third-party products, аз discussed in the Representative Vendors section” 


The guide goes on to note that "there are also а number of solutions now positioned as an alternative 
to an SEG. These integrated email security solutlons (IESSs) provide many of the capablllties in an 
ЕС such as advanced malware protection, sandbox analysis and URL analysis, Intercepting malicious 
emails before they reach a user's Inbox. When used In combination with the native capabilities 
provided by Google and Microsoft, these сап be а vlable alternative to gateway protection” 


ADVANCED DETECTION TECHNOLOGIES FOR PROTECTING CLOUD EMAIL ENVIRONMENTS 


At Area 1 Security (a Representative Vendor for Integrated 
Email Security Solutions іп Gartner's 2020 Market Guide 
for Email Security), our preemptive technology employs 
ргорпегагу ActiveSensors" that crawl the web at massive 
scale to reveal emergent campaign infrastructure and 
aggregate attack data. Our Small Pattern Analytics Engine, 
SPARSE", also identiñies phishing attack infrastructure, 
patterns of attack formation and threats within datasets 
Benerated by the ActiveSensors network. 


Etfectively defending against cloud email threats 

аво requires: 

- Comprehensive email security techniques: These 
should include А! and Machine Learning (ML) models, 
computer vision, Natural Language Understanding 
(нш) and intent analysis, among other advances. 


+ Creating an automated social/partner graph for your 


organization: Identify your рагілег organizations and 
perform universal message classification to understand 
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the natural interactions the organization has with the 
rest of the world. 

+ Combining preemptive threat data, message 
sentiment analysis and conversational context 
analysis: This provides а high level of accuracy into 
the malicious detections, especially іп cases where 
a partner has been compromised and becomes the 
source of targeted phishing attacks. 


finally, as threat actor patterns evolve, it's important 
to ensure that your phishing detection models are 
continually enhanced, to proactively identify and stop 
phishing attacks before they launch. 


To learn more about Area 1 Securitys preemptive сара- 
bilities and how to protect your Office 365 environment 
from advanced phishing attacks, watch out our “Office 
365, Compromised" on-demand webinar, or request a 
complimentary Phishing Risk Assessment. 


